CHAPTER 3: PROTOCOLS - CMSChapter 3: Protocols Introduction A protocol is a step-by-step instruction for performing a specific process. In the Medicaid Enterprise Certification Toolkit

CHAPTER 3: PROTOCOLS

Certification Review Protocol Event Line

Step Activity

1. Request for certification

2. Certification review Team formation

3. Response to request for certification and specification of data needs

4. Establishing checklists for the onsite visit

5. Initial review of material

6. Certification review Team RO briefing

7. Pre-certification meeting/call

8. Completion of preparations

9. Entrance conference

10. Evaluation of the MMIS

11. Exit conference with State debriefing

12. Analysis of data

13. Resolution of issues

14. Certification decision

15. Certification report

16. Preparation of response to the State

17. Conclusion of the process

Medicaid Enterprise Certification Toolkit

Chapter 3 – Protocols

This document is the property of CMS. It may be reproduced but not

modified, sold for profit, or used in commercial documents. Adherence to the protocols, checklists, and other tools contained in this document does not, in

itself, guarantee Federal certification of the Medicaid Management Information system or Federal funding.

3-1 September 28, 2007

Step Activity 1. Request for certification 2. Certification Review Team formation

3. Response to request for certification and specification of data needs

4. Establishing checklists for the onsite review 5. Initial review of material 6. Certification Review Team RO briefing 7. Pre-certification meeting/call 8. Completion of preparations

Chapter 3: Protocols Introduction

A protocol is a step-by-step instruction for performing a specific process. In the Medicaid Enterprise Certification Toolkit (Toolkit), protocols have been developed for three of the Certification roadmap milestones.

The three protocols listed below are included in the Toolkit:

1. Advance Planning Document (APD) Development and Review Protocol (Milestone 2) 2. State Certification Readiness Protocol (Milestone 4) 3. Centers for Medicare & Medicaid Services (CMS) Certification Review Protocol

(Milestone 6)

Each protocol begins with an overview, followed by an event line that lists the detailed steps to be completed for each activity as shown in Table 3-1.

Table 3-1 Example of a Protocol Event Line

Event Line

Step Activity 1. 2. 3. 4. 5. 6. 7. 8.







A user should first read the protocol to understand the steps involved in each activity followed by a review of the checklists in Chapter 5. After familiarization, users should begin with the first step of the protocol and work through until all steps are completed. The three protocols are described below:

� The APD Development and Review Protocol produces a set of abbreviated checklists that identify the State’s business objectives for each business area. These are used to demonstrate the goals and objectives of the new MMIS. Later, this becomes a starting point for the State Certification Readiness Protocol.

� The State Certification Readiness Protocol, when completed, provides assurance to the State that the Medicaid Management Information System (MMIS) is certifiable and communicates to CMS that the State has determined that Federal requirements have been satisfied.

� The CMS Certification Review Protocol is used by CMS to evaluate a State MMIS to certify that it meets all Federal requirements and, therefore, is eligible for enhanced Federal financial participation (FFP) for MMIS operation. The protocol contains the step-by-step procedures to be followed by the State and CMS.

In addition to the three protocols listed above, this chapter contains four templates that provide guidance for the contents of documents described in the protocols. These templates are:

1. State Request for Certification Letter 2. CMS Reply to State Request Letter 3. CMS Certification Review Final Report 4. CMS Certification Disposition Letter

The templates are located following the CMS Certification Review Protocol.







First Protocol – APD Development and Review Protocol

Protocol Overview The APD Development and Review Protocol is intended to be used by both the State and the RO. It corresponds to Milestone 2 APD Development in the Medicaid Enterprise Certification Roadmap presented in Chapter 2. The objective is to utilize the checklists to provide both the State and the approving RO a high-level overview of the proposed MMIS.

The business areas and business objectives (not the detailed review criteria) from the checklists are used by the State to ensure that each Medicaid business area has been considered and that the State’s unique business objectives are included. The objectives sections of the checklists accompany the APD when it is sent to the RO for review. They are then used as a basis for communication throughout the planning process. Each applicable business area will be fully detailed in the RFP for MMIS development.

Effective on April 1, 2007, CMS requires States to attach a MITA Self-Assessment to the APD.

The checklists will be maintained by the State, and the State-specific objectives may evolve throughout the DDI process. The APD and associated checklist objectives provide a high-level view of the State’s intentions in obtaining a new or replacement MMIS. The RFP will present the detailed requirements. In keeping with this distinction, the APD Protocol results in defining high-level objectives for the MMIS and does not contain reference to detailed requirements.

SMM 11200 Excerpt: “For the 90 percent funding rate, all requests are subject to prior approval. For 75 and 50 percent funding, a request other

than a sole source procurement is subject to prior approval when the estimated costs exceed the threshold amount found in 45 CFR 95.611(a),

currently $5,000,000.”

APD Development and Review Protocol Event Line The following steps in Table 3-2 are required to complete this protocol.

APD DEVELOPMENT

State References the Toolkit and

Works with CMS RO in Preparing

APD

2







Table 3-2 APD Development and Review Protocol Event Line

APD Development and Review Protocol

Step Activity

1. Selecting checklists

2. Tailoring of checklists for APD use

3. Completing the APD checklists

4. Reviewing the APD checklists

5. Using the checklists

6. Keeping the APD checklists up to date

The specific steps required to complete this protocol are described below. The APD Development and Review Protocol has six steps.

Step 1: Selecting Checklists The State must review all of the checklists in the Toolkit, Chapter 5. Most of the checklist criteria are based on requirements that are mandatory for a Medicaid agency and, therefore, must be supported by the MMIS. The following optional checklists do not apply if the State does not intend to support these four business areas with the MMIS: Managed Care, Home and Community-Based Services (HCBS) Waivers, Immunization Registries, and Decision Support Systems/Data Warehouse. Note that there are four Managed Care checklists, and some may not apply depending on what form of managed care a State has implemented. Similarly, there are two checklists for immunization registries: one for an immunization registry developed, maintained, and operated by the Medicaid agency, and one for an immunization registry developed and operated elsewhere in the State, but with which the MMIS interfaces. If any of the non-mandatory checklists does not apply to the MMIS in development, it should be marked “Non-Applicable” and included in the package submitted to the RO as an attachment to the APD. The Non-Applicable checklists should contain a short comment regarding the State’s decision that the checklist does not apply.

Product: Set of applicable checklists, with others marked N/A

Step 2: Tailoring Checklists for APD Use The Business Objectives sections of the checklists are the focal point for the APD protocol. The State should review each applicable checklist and the business objectives listed. Any business objective that does not apply should be marked “Non-Applicable.” Business objectives that have associated Federal requirements must not be marked N/A since these are required. The State should also review the detailed system review criteria associated with each business objective to fully understand its scope. After the detailed system review criteria are reviewed they should be







deleted from the checklists. The purpose of the checklist developed under the APD protocol represents a high level view of the business area with its business objectives. The remainder of the APD protocol uses only the business objectives section of the checklists.

Product: The selected checklists with business objectives reviewed and detailed system review criteria deleted.

Step 3: Completing the APD Checklists The objectives of completing the tailored checklists are to ensure that the State considers the magnitude and complexity of the MMIS proposed to be developed and to verify that the new MMIS will satisfy all business objectives of the State Medicaid program, both Federal- and State-specific.

To complete the protocol, the State should review each Medicaid business area and its business objectives. New objectives should be added for those business areas in which the State has State-specific objectives developed in Milestone 1. States should list the new objectives and create corresponding system review criteria for the existing checklist during the development of the RFP. Some of the checklists contain examples of possible State-specific objectives and system review criteria. State business objectives should be directly tied to system requirements contained in the APD and RFP. If the State has goals and objectives in a business area that could not be mapped to the Federal business areas in Milestone 1, the State should create a new checklist. Before the development of a new checklist is undertaken, the rationale for doing so should be discussed with the RO. The process for developing a new checklist is discussed in Chapter 4.

Product: APD checklists-A tailored version of the selected checklists, reduced to the Business Objectives section. The business objectives provided in the checklists are expected to be augmented by State-specific objectives. The State must provide this supplemental information as part of the justification of its request for funding contained in the APD and thus should attach these APD checklists to the APD request.

Step 4: Reviewing the APD Checklists The completed APD checklists are intended to improve the communication and understanding between the State and the RO regarding characteristics of the proposed new MMIS. They will ensure that all Federal and State-specific MMIS requirements are met, resulting in improved support to the State’s Medicaid enterprise.

When the APD and attached checklists are received by the RO, the checklists will be reviewed to ensure that all business objectives have been annotated. The RO will review the comments on the checklists in order to understand the objectives and intentions of the State.







Product: RO understanding of the business goals and objectives of the State to be supported by the new MMIS.

Step 5: Using the Checklists Once the APD approval process has been completed, the APD checklists will provide a high-level description of the business areas and business objectives that will be supported by the MMIS. The set of checklists included with the APD is an appropriate starting point for developing an RFP.

Product: Approved set of checklists that is a good starting point for an RFP development.

Step 6: Keeping the APD Checklists Up to Date As the detailed work of developing an RFP and negotiating a contract is completed, the State may determine that the previously reviewed and accepted APD checklists are no longer adequate or accurate. The business objectives may need revision or amplification based on the further analysis performed during the development of the RFP. The goal is to keep the business objectives sections of the checklists current, to maintain communication with the RO, and to provide a basis for the State Certification Readiness protocol, which supports Milestone 4 described in the next section. It is the responsibility of the State to make changes and send updated checklists to the RO.

Product: Updated checklists that support communications with the RO about changes to State plans and an up-to-date set of checklists business objectives that can be used in future milestones.







Second Protocol – State Certification Readiness Protocol

Protocol Overview The State Certification Readiness Protocol is used by the State to ensure that all Federal and State MMIS requirements have been satisfied and that the new MMIS is ready for certification. It also guarantees that the State-specific criteria, which are derived from the functionality approved in the APD, are satisfied. The protocol initiates the collection of data for CMS review during the certification process.

Data collection should begin when the new MMIS is accepted for operation and initiates production. It must begin on or before the date for which the State intends to seek 75-percent Federal financial participation for MMIS operations per 42 CFR 433.116 and SMM 11240 – 11260. The checklists are completed by the State and enclosed with the letter from the State to CMS requesting the certification review. If the checklists were used and updated during the MMIS development process, much of the effort leading to a completed readiness assessment has already been accomplished.

State Certification Readiness Protocol Event Line The following steps in Table 3-3 are required to complete this protocol.

Table 3-3 State Certification Readiness Protocol Event Line

State Readiness Assessment Protocol

Step Activity

1. Selecting checklists

2. Tailoring checklists

3. Filling out checklists

4. Beginning data collection

5. Submitting the checklists

Step 1: Selecting Checklists If the checklists were created, updated, and used, as suggested in this Toolkit, during the APD approval, RFP preparation, and MMIS development phases, these checklists are the ones to be used for the State Certification Readiness Assessment. If a State has previously submitted an APD and it was approved before this Toolkit was published, the State will be encouraged to use

VALIDATE MMIS FUNCTIONALITY

State Uses Toolkit

Checklists for Guidance

4







the new checklists rather than using the old MMIS Certification Review process/checklists. If a State has not completed the checklists and agrees with the RO to use them, the State must prepare a set of checklists by following Steps 1, 2, and 3 in the APD Development and Review Protocol discussed at the beginning of this chapter. This will produce a set of checklists that contain all applicable business areas, business objectives, and system review criteria.

Product: Set of checklists that cover all applicable business areas, business objectives, and system review criteria.

Step 2: Tailoring Checklists for Certification Readiness Use The focus of tailoring checklists for certification readiness assessment use is to ensure that all applicable Federal and State business objectives and associated system review criteria are included. For each business objective, the Federal and State-specific system review criteria are inserted. The MMIS system requirements must be reviewed and mapped to the checklist system review criteria. If there are State-specific requirements for which no system review criteria exist, system review criteria must be specified and inserted by the State. If there are criteria that do not map to system requirements, they should be identified as “Non-Applicable.” However, Federal requirements cannot be marked as “Non-Applicable”. If the checklists were used to support development of the RFP and used as a guide to verification of the new MMIS, this step will have been completed (see Milestones 3 and 4, respectively). When tailoring is complete, the system review criteria in the checklists should match the requirements in the RFP, even if the RFP requirements are more specific and detailed.

Product: Set of checklists with all Federal and State-specific system review criteria in place for each business objective. The system review criteria must represent all MMIS requirements.

Step 3: Filling Out the Certification Readiness Checklists The objective of filling out the checklists for the certification readiness assessment is to demonstrate that the MMIS satisfies all of the Federal and State-specific requirements. This will ensure that the MMIS meets State Medicaid enterprise objectives and the Federal requirements needed for certification. To fill out the checklist, State staff must enter a response to each criterion on every applicable checklist, one by one. If the MMIS meets the criterion, the “Yes” block on the line with the criterion is to be checked. If the MMIS does not meet the criterion, the “No” block is to be checked. If the criterion is not met, the comment field should be used to note the reason. If needed, the responder may reference a separate page on which the comment is explained. The criterion number should be used as a cross reference. If the criterion is not fully met, the “Yes” block may still be checked and the comment field used to note the discrepancy.

Once checklists have been filled out, the State should review the results. If there are unmet criteria, the State should discuss the situation with the RO before proceeding to request certification.







Product: Fully completed checklists showing all criteria which demonstrate that Federal and State requirements have been satisfied.

Step 4: Beginning Data Collection The State will be required to provide data and reports that document that the MMIS meets all of the required criteria in all applicable checklists. This information and documentation must be collected beginning on or before the date from which the State intends to claim enhanced operational funding and cover a period of at least six months of full operation. The State should provide a “folder” (see Special Terms and Acronyms for a definition of a folder) for each criterion that contains reports, print screens, or other documentation that demonstrate that the criterion is satisfied. The State should consult with its RO representative to ensure that its collected data and information will satisfy the needs specific to the certification process and that the amount of paper collected can be minimized. For example, if a monthly report is produced, CMS will expect to see monthly copies of the report. If a criterion applies to daily operations, CMS will want to see evidence from the beginning, middle, and end of the operational period prior to certification.

Product: Initiation of a data collection process that demonstrates that each criterion in the checklists has been met.

Step 5: Submitting the Checklists The State should send the RO a copy of the filled out Certification Readiness checklists for review. The RO will review the checklists to make sure that all of the criteria derived from Federal requirements have been checked “Yes” and that all of the capabilities that the State planned to develop, as defined in the APD and approved RFP, have been delivered.

After the RO review and any required discussions with the State, the checklists are ready to be enclosed with the letter requesting CMS certification of the new MMIS. This step is discussed in Step 1 of the Preparation Phase of the CMS Certification Review Protocol.

Product: A set of completed checklists reviewed by the RO and ready for official submission to CMS.






3-10 September 28, 2007

Third Protocol − CMS Certification Review Protocol

Protocol Overview Certification review is the formal process carried out by CMS to ensure that an MMIS developed for a State meets Federal requirements and any other requirements of the approved MMIS project. A certification review is scheduled when a State sends a letter to CMS requesting certification and includes documentation that the State has accepted the system from the developer and that the system is fully operational. The certification process includes both an evaluation of MMIS system outputs/information and an onsite examination of the MMIS including specific system performance and functionality used by the State for effective management of the State Medicaid program. The new focus of the review is the checklist criteria derived from Federal requirements and the system capabilities that were funded based on the APD and RFP. This protocol provides a step-by-step procedure for carrying out the certification review process. This protocol corresponds to both Milestone 5 and Milestone 6 in the certification roadmap presented in Chapter 2. This protocol is primarily implemented by CMS; however, there are required State activities.

There are three phases to the MMIS certification review and evaluation process:

� Preparation � Onsite visit � Post review analysis and follow-up

Specific protocol steps belong to each phase:

� The preparation phase consists of steps 1 – 8, which include all the activities beginning with the request for certification from a State through the formation of the CR Team and the pre-visit meeting/call with the State requesting the certification.

� The onsite visit phase consists of steps 9 – 11, which encompass all of the fact-finding and information gathering performed while the CR Team is at the State site. It includes the entrance conference, system evaluations based on the checklists, document reviews, meetings with key personnel, and an exit conference debriefing. During the debriefing, the CR Team lead describes to the State the preliminary observations, including both strengths and weaknesses of the system determined during the review. The debriefing includes any suggestions for improvement that the CR Team would like to convey. The results of the certification review will not be available at the time of the debriefing.

� The post review phase consists of steps 12 – 17, which include any follow-up activities required, including possible corrective actions. These activities are based on what was found during the assessment process. It concludes with a letter from CMS to the State that includes the disposition of the certification request and, if certification is granted, the






3-11 September 28, 2007

effective date of certification. The letter may also identify additional corrective actions upon which the certification is contingent.

The following Table 3-4 shows the steps required in each phase to complete this protocol.

Table 3-4 CMS Certification Review Protocol Event Line

Certification Preparation Phase Event Line

Step Activity



3. Response to request for certification with specification of data needs list






Onsite Visit Phase Event Line

Step Activity




Post Review Analysis and Follow-up Phase Event Line

Step Activity







CMS Certification Review Timeline Once the validation of the MMIS functionality (Milestone 4) is completed, the focus changes to preparation for certification. The checklists used to support validation are reviewed by the RO to ensure that they accurately reflect the content and status of the system and that all criteria based






3-12 September 28, 2007

on Federal requirements have been satisfied. Preparation of these checklists is described in the State Certification Readiness Protocol.

After about two months of successful operation and after discussion and agreement with the RO, the State may prepare and submit an official letter to CMS requesting certification of its MMIS. A copy of the State’s letter to the MMIS contractor or State development team accepting the system (and a copy of the completed checklists, which demonstrate that the MMIS is ready for certification), accompany the letter. Template 1 following this protocol provides guidance for preparation of the letter from the State to CMS. After receipt of the letter, CMS will form a CR Team and respond to the State letter. Guidance for this response letter is given in Template 2. In the response, CMS will specify the information it requires from the State to be either sent before or to be available at the onsite visit.

An example of the data that will be requested is shown in Step 3 of the preparation phase of this protocol. In addition, the State must collect data that demonstrates that all valid criteria in all relevant checklists have been satisfied. The data collection process is described in Step 4 of the State Certification Readiness Protocol.

Milestone 5, the Pre-Certification Meeting/Call will be accomplished about four months after the receipt of the State’s certification request letter by CMS. The onsite visit, Milestone 6, takes place after the completion of at least six months of successful full MMIS operation. The certification visit will be scheduled at a mutually agreeable time.

Certification Preparation Phase The preparation phase for an onsite visit with CMS includes all of the activities to be completed, beginning with the receipt of a letter from a State requesting certification up to the onsite visit.

The steps in Table 3-5 are required to complete the certification review preparation phase.






3-13 September 28, 2007

Table 3-5 Certification Preparation Phase Event Line

Certification Preparation Phase Event Line

Step Activity



3. Response to request for certification with specification of data needs list






Step 1: Request for Certification The certification process begins with a letter from the State Medicaid Director or comparable State official to the CMS Central Office requesting MMIS certification. The letter must include; 1) a declaration that the State’s MMIS meets all of the requirements of law and regulation; 2) a copy of the official acceptance letter from the State to the MMIS contractor or State development team; 3) the date the system became fully operational; and 4) the suggested date or timeframe when the State wants to undergo the onsite visit. The letter must also certify that the MMIS does the following:

� Meets the requirements of 42 CFR 433.117 for all periods for which the 75-percent FFP is being claimed

� Issues Explanation of Benefits (EOBs) on a regular basis for all periods for which 75-percent FFP is being claimed, in accordance with the provisions of Section 10 of P.L. 95-142, which amends section 1903(a)(3) of the Social Security Act

� Is ready for CMS certification, based on the State’s evaluation using the checklists in the Toolkit

� Adjudicates claims and information required for payment of services in accordance with all provisions of 42 CFR 447 and the approved State Medicaid plan

� Routinely generates data tapes containing up-to-date and accurate MSIS (Medicaid Statistical Information System) data in accordance with the Tape Delivery Schedules contained in CMS’ MSIS Tape Specifications and Data Dictionary (Balanced Budget Act of 1997 [Public Law 105-33, section 4753])

� Exercises appropriate privacy and security controls over the system in accordance with 45 CFR Part 164, P.L. 104-191, the Health Insurance Portability and Accountability Act






3-14 September 28, 2007

(HIPAA) of 1996, and 1902(a)(7) of the Social Security Act as further interpreted in regulations at 42 CFR 431.300 to 307

A completed and filled-in copy of the checklists from the Toolkit and any supporting documentation must accompany the letter. The State should follow the State Certification Readiness Protocol, which specifies the process to produce the checklists.

The RO responsible for the State will provide the State with guidance on the schedule for sending the request letter. Ideally, the State should ask for certification four to six months prior to the expected date for the onsite visit to occur. This allows time for the CR Team to be formed and for their review of all requested materials from the State. At the end of this chapter, a sample certification request letter that the State can use as guidance in preparing the letter to CMS is shown in Template 1. The RO will provide the State with the latest version of this sample letter.

Product: Letter from the State requesting certification with attestations and completed checklists.

Step 2: Certification Certification Review Team Formation The CR Team and Team lead are appointed by the Director of the CMS Division of State Systems (DSS). The CR Team will include qualified Central Office (CO) and RO staff along with the State’s RO representative. Ideally, the CR Team should consist of a minimum of five members, including the Team lead and the RO representative.

The Team lead is responsible for coordinating and scheduling with the RO and the State all activities that are to take place before, during, and after the onsite visit. This includes all interviews, data products, and system access needed, along with the visit logistics. The Team lead designates areas of responsibility to CR Team members and sets up required meetings, discussions, and conferences to discuss planning and scheduling.

Product: Established Certification Review Team and Team lead.

Step 3: Response to Request for Certification and Specification of Data Needs After the CR Team is formed the Team lead prepares a letter that acknowledges the State’s certification request letter and is then signed by the Director, DSS. A sample letter from CMS to the State is included as Template 2 at the end of this chapter.

The CMS letter presents an overview of the certification process, provides the general timeline of events, and identifies the CR Team members and their areas of responsibility. Attached to the letter is a list of the information required by the CR Team to be submitted in order for them to prepare for the certification review process. This list is likely to contain the following






3-15 September 28, 2007

documentation and additional information needed from the State as determined by the Team lead:

� The date the system was officially accepted by the State as fully operational � The time period of system operations to be claimed at 75-percentFFP rate � An enterprise system diagram, including all components of the MMIS, identifying overall

logic flow, data flow, systems functions, and their associated data storage � A full and complete set of system documentation (hard copy available onsite) � A network schematic showing all network components and technical security controls A

narrative description of each identified MMIS component, including basic functions and the business area supported

� A list of all error codes and explanations by MMIS component � A record layout of each data store with data element definitions � A list of information retrieval functions and reports for each business area (including a

list that identifies the distribution of the reports and who can access the information retrieval displays)

� A substantive and representative set of all reports and information retrieval screens (electronic format preferred)

� Evidence that Medicaid Statistical Information System (MSIS) data requirements have been met for timeliness and data quality

� A statement that the system meets Health Insurance Portability and Accountability Act (HIPAA) requirements for transactions and code sets, privacy and security, and when required, National Provider Identifier (this statement is in addition to the completion of all the HIPAA-related checklist criteria)

� A system acceptance test plan and results � Evidence that a security risk assessment of the new system has been conducted by

qualified personnel to identify security vulnerabilities and that the State has implemented security controls commensurate with these risks and vulnerabilities

� A list of all local and off-site facilities

The CMS letter will also indicate that the State must provide documentation showing evidence of the operational status of the MMIS from the date claimed as the start of the operational period to the time of the visit. In order to certify the system, by the time of the onsite visit the system must have been in full operation for at least six months and must have documentation available for that entire period. In particular, the State must have records of all of its standard reports used to manage the Medicaid program. Archives of any other records needed to show the system has been fully operational are also required. Data that shows satisfaction of all of the applicable criteria for all of the applicable checklists must be available for review during the CR Team






3-16 September 28, 2007

onsite visit. Collection of this data is described in Step 4 of the State Certification Readiness Protocol.

The State must provide the data in a mutually agreed upon electronic format or hard format or both at the CR Team reviewer’s preference. The State must also provide a copy of the APD, RFP, vendor response to the RFP, contract and system design, and implementation and operations documentation in the same format.

The Team lead must coordinate possible dates for the CR Team briefing, the pre-visit meeting/call, and the onsite visit with the responsible RO. Key State staff, and at the State’s discretion, key contractor staff responsible for the development or operation of the MMIS and respective RO staff are invited to participate in the pre-visit meeting/call. They are invited to come to the CMS Central Office in Baltimore, Maryland for the meeting or to hold a telephone conference call with CMS. At this meeting/call, the key State staff provide a system overview, brief the CMS CR Team on the status of its MMIS, and report on trends of key metrics. The CMS CR Team describes the review activities and answers State questions. At this time, the CMS CR Team may ask for the State to provide additional information.

Product: Letter to State that names the CR Team members and specifies data and information needs of the CR Team; State response to the letter must include the requested data.

Step 4: Establishing Checklists for the Onsite Visit Checklists are the chief tool used in the certification process. The CR Team uses a set of checklists that contain system review criteria based on all of the applicable Federal requirements and include criteria for all of the State-specific requirements that were funded based on the approved APD and RFP. The process of developing such a set of checklists is described in the APD Development and Review Protocol and the State Certification Readiness Protocol.

In the State Certification Readiness Protocol, Step 5, the State submits a completed set of checklists along with its letter requesting certification. The CR Team reviews these checklists and references them when it constructs its official certification review checklist package.

Product: Set of checklists that can be used for the certification visit.

Step 5: Initial Review of Material When CMS receives the requested State materials, the documentation is reviewed by the CR Team. The material is divided among the CR Team members based on the business areas to which the CR Team members are assigned. The CR Team members use the checklists to help guide their review.

The CR Team will also study reports from prior visits to the State, review the State’s web site, inquire about the status of MSIS data, and examine any responses from the State. These will help






3-17 September 28, 2007

determine timeliness and readiness of the system for the onsite visit. CR Team members are responsible for reviewing all materials supplied by the State specific to their assigned area.

Reports from recent certifications of similar systems from the same vendor should also be obtained from DSS historical records and reviewed for potential areas of focus.

Product: Review of information provided by and about the State and its contractor. CR Team members are to be familiar with their designated business areas.

Step 6: Certification Review Team RO Briefing The scope of a certification review includes all of the functional areas for which the State requested enhanced Federal funding as set forth in the approved APD. In addition, certain areas may need more detailed examination. These focus areas include any functions that are new to the State, its MMIS, and areas that the responsible RO feels deserve additional attention based on the system and operational development experience.

An important part of the selection of these focus areas is a briefing by the RO to the CR Team. The briefing covers the new Medicaid information support capabilities included in the APD, the history of the MMIS development, new Medicaid services added by the State, and the RO recommendations for focus areas. CMS Medicaid program experts should be included in the briefing to the extent that the CR Team feels that their contributions can help.

Product: Selected areas for focus during the onsite visit.

Step 7: Pre-Certification Meeting/Call In the response to the certification request letter, the State is requested to participate in a pre-certification meeting or call with CMS. During this meeting, the State has the opportunity to discuss the review process and any areas of concern the State may have. In this pre-certification meeting/call, the State provides an overview of its MMIS, presents highlights of the new MMIS and the improved support it provides to the State Medicaid Enterprise. The pre-certification meeting/call may be held via a State visit to CMS in Baltimore, Maryland or via teleconference.

In either case, the agenda should include the steps in the certification processes, the State presentation, and a discussion of the onsite visit schedule including visit to local State and/or contractor facilities and possible visits to off-site locations. The discussion of the onsite visit schedule will include a tentative timeline that enables the State to arrange for availability of key individuals involved with the capabilities under review.

PRE-CERT MEETING/ CALL WITH CMS

State Uses Toolkit

Protocol & Checklists

5






3-18 September 28, 2007

Product: Mutual understanding between CMS and the State of the conduct of the certification visit.

Step 8: Completion of Preparations The CMS Team lead finalizes the onsite visit schedule with the State lead. Once the schedule is finalized, the Team lead schedules a preparation status meeting in which CR Team members report on their review progress and any potential problems they have found. This status meeting should be held about two weeks prior to the onsite visit. After completion of the pre-visit meeting/call and the status meeting, the CR Team should be essentially ready for the certification onsite visit. There may be a few ongoing document reviews to be completed, especially if new material was provided during, or as a result of the pre-visit meeting/call. When preparations are complete, the Team lead notifies the Director, DSS.

The Team lead, supported by the RO representative, coordinates any last minute arrangements between the State, the RO, and the Director, DSS.

Product: Notification to Director, DSS that the CR Team is ready to go to the State and conduct the certification visit.

Onsite Visit Phase The onsite visit provides an opportunity for the CR Team to see and evaluate the new MMIS in operation. During the onsite visit, the CR Team examines the system, its operational environment, and the evidence that it has successfully and fully operated since the claimed operations start date. The CR Team gathers information about the topics in the checklists and decides if the criteria are met. While the CR Team will hold an exit conference to debrief the State, final decisions about certification are made after the CR Team returns from the visit.

The steps in Table 3-6 are required to complete the onsite visit phase.

Table 3-6 Onsite Visit Phase

Certification Review: Onsite Visit Phase Event Line

Step Activity




MMIS CERTIFICATION

VISIT

State + CMS Use Toolkit Protocol &

Checklists

6






3-19 September 28, 2007

Step 9: Entrance Conference If possible, the Team lead conducts a meeting with the CR Team members the evening before the beginning of meetings with the State. At this pre-meeting, the Team lead goes over any recent changes in the plans or schedule for the week or other matters and ensures that CR Team members understand their assigned roles.

The onsite visit begins with an entrance conference with the State. Attendees should include the CR Team, participating State staff, and at the option of the State, contractor staff. The CMS Team lead will emphasize that the intent of the onsite visit is to gather information from the State and verify facts related to the operation of the State's MMIS, using checklists from the Toolkit. In addition, the Team lead indicates that the certification decision will not be made during the onsite visit, but will be available, along with documentation of the results, in approximately sixty days.

During the entrance conference, the CR Team and the State discuss the onsite schedule and activities agreed upon prior to the visit to ensure mutual understanding and agreement. Any needed revisions to the schedule will be made at this time. The State designates staff members to work with each of the CR Team members and identifies additional knowledgeable staff to provide needed information and answer questions, if needed. These individuals will be introduced at the entrance conference. It is expected that the following State staff will be available during the review:

� Medical services supervisors, subject matter experts and staff members as appropriate � State or contractor systems staff who are directly involved in the development and

maintenance of the MMIS and of systems that directly interface with the MMIS � Data processing staff directly involved in MMIS operations � Staff responsible for the maintenance of MMIS information � Representative users of Program Management and Program Integrity capabilities � Any other individuals (including contractors) the State believes should be included

The State will also provide logistics information, including space the CR Team can use for its work and areas for interviews. Because the State is to provide all requested hard copies and screen displays of reports at the beginning of the onsite visit, the State will inform the CR Team what reporting capabilities are available, those that are routinely used, and methods for accessing them.

If a fiscal agent or other contractors of the State agency are to be part of the State’s certification support CR Team, the arrangements for communicating with them should be described. Contractors are to be approached only through the State’s Medicaid program staff.

Following the entrance conference there should be a tour of local MMIS facilities.






3-20 September 28, 2007

Product: Coordination of schedule, logistics, and State and contractor staff availability.

Step 10: Evaluation of the MMIS To start the evaluation, the State provides individual presentations for the CR Team members to introduce them to the areas for which they are responsible, if this did not occur during the pre-conference meeting/call. At the end of these presentations, the CR Team members clarify questions raised and develop, if necessary, a list of follow-up meetings with appropriate staff. During these follow-up sessions, each CR Team member will drill down to validate processes, products, and status needed to validate that the MMIS satisfies checklist criteria.

IMPORTANT: To qualify for certification retroactive to the operational date claimed, the State must produce documentation showing evidence of the operational status of the MMIS since that time. System reports must reflect production dates to support the claimed date and to show that the

entire system has been fully functioning in a manner consistent with Federal requirements the entire time.

Most of the CR Team’s evaluation is performed by directly accessing the MMIS and by reviewing the State’s documentation. A specific source of documentation that the CR Team reviews are the ‘folders’ prepared by the State (defined in Table 1.1 Special Terms and Acronyms). The contents of the folders demonstrate, in the opinion of the State, that each applicable criterion of each applicable checklist is satisfied. These folders and the kinds of data they are to contain are described in the State Certification Readiness Protocol.

CR Team members use the checklists they prepared prior to the onsite visit and the focus areas that the CR Team decided needed additional attention as guides to their selection of materials to review, system areas to explore, and State staff/contractors to interview. The objective of these activities is to verify that the MMIS does or does not satisfy the checklist criteria. When examination of the data related to a checklist criterion is complete, the CR Team member will check the ‘Yes’ or ‘No’ box on the checklist to indicate the results. Comments about the way the criterion is satisfied may be made in the comments field. If ‘No’ is checked, the CR Team member must describe the nature of the failure in the comments field. When CR Team members find that more information is required, they record this as an action item.

In addition to completing the checklists, the CR Team member looks for strong and weak points in the functions or support provided by the MMIS. Strong points are implementations of especially good design that provide effective support to the users of the system. Strong points should be noted by the CMS staff as suggestions to other States as guidance for their MMIS development. Conversely, weak points are implementations of poor design that make user support cumbersome or difficult. Weak points should be noted as possible recommendations for






3-21 September 28, 2007

improvement to be made at the exit conference. Strong and weak points do not indicate that criteria have or have not been satisfied.

On a daily basis, the Team lead privately meets with CR Team members to determine progress, ask for any issues, discuss any criterion evaluated as ‘No’, possible strong points, weak points, recommendations, and action items and the schedule for their resolution. The Team lead develops a daily summary based on CR Team member’s reports. The Team lead meets with the State representative to review the daily summary, track action items, and inform State staff of the following days’ events. At these daily meetings, the State is given an opportunity to address and resolve problems prior to the exit conference.

To prepare for the exit conference the Team lead collects a list of any problems found, strong points for which the State should be given credit, weak points for which recommendations are to be made, and action items that are to be completed by the State after the CR Team leaves from the onsite visit. Corrective Action Plans (CAPs) are identified. CAPs are actions that the State is to follow to correct problems that would potentially cause certification to be denied, that is, problems where the MMIS fails to satisfy Federal requirements or State-specific requirements for which Federal funding was granted...

Product: Completed checklists, lists of strong points and weak points, action items for the State.

Step 11: Exit Conference At the conclusion of the onsite visit, the Team lead, together with CR Team members, holds an exit conference with appropriate State officials and invited staff. At the exit conference the Team lead discusses the activities of the CR Team. It should be emphasized that the onsite activities are designed to gather and verify facts related to the operation of the State's MMIS and to provide the data for the post-visit analysis. During this conference, the Team lead summarizes the findings of the review, reports State’s strong points and weak areas, identifies any unresolved problem areas, and specifies actions required by the State to resolve them. The Team lead informs the State of any action items and additional information and/or documentation required. Identified Corrective Action Plans (CAPs) are cited, and a tentative schedule for their completion is discussed. Arrangements should be made to obtain MMIS access after the CR Team’s return from the State so that access is available if needed.

The State should be advised that the CR Team will develop a report of findings, and a decision on certification of the system will be made within approximately sixty days. The State is notified in writing of the results of the review.

Product: State understanding of the findings of the CR Team, action items, and needed Corrective Action Plans.






3-22 September 28, 2007

Post Review Analysis and Follow-up Phase After the onsite visit, the CR Team ensures completion of all action items and any checklist items awaiting information and prepares a detailed Certification Review Final Report (see Template 3). The CR Team discusses the results of the MMIS analysis and decides if certification from the requested date is appropriate. If so, the CR Team initiates the approval letter (see Template 4). If not, follow-up activities with the State are tracked until certification can be approved. Materials from the review are filed, and the CR Team’s job is complete.

The steps in Table 3-7 are required to complete the post review analysis phase.

Table 3-7 Post Review Analysis and Follow-up Phase Event Line

Post Review Analysis and Follow-up Phase Event Line

Step Activity







Step 12: Analysis of Data After the return from the onsite visit, the CR Team reviews the data collected. Any data requested from the State during the visit must also be received and reviewed. If there are still questions that cannot be resolved, the Team lead will contact the State representative to ask for more data. The data must be analyzed to see what criteria the data affects, and these criteria need to be scored either ‘Yes’ or ‘No.’ If issues need to be investigated, the CR Team members will review documents brought back or use remote access to the State system to gather needed information or identify an issue to be resolved in the next step. The objective of this activity is to use any new data received from the State to complete open items on the checklists or to resolve other questions.

Product: Scored checklists, identification of problems.

Step 13: Resolution of Issues The CR Team, working through the Team lead and the RO, ensures that any open issues are resolved. This includes the completion by the State of any issues or action items identified at the exit conference or identified during data analysis. CAPs that were identified during the onsite visit must be reviewed. If the data analysis reveals new deficiencies that require a new CAP, the






3-23 September 28, 2007

CR Team will agree with the State on the contents of the CAP. Once the State has executed a CAP, adequate evidence of its completion and the solution of the deficiency must be provided to the CR Team. As issues are resolved, the checklists must be updated.

Product: Resolution of open issues and Corrective Action Plans; completion of scoring of checklists.

Step 14: Certification Decision Once all required data has been received, all CAPs completed, and all checklist items dispositioned, each CR Team member must prepare a summary evaluation for each business areas for which they were responsible. These summary evaluations are to be reviewed in a CR Team caucus called by the Team lead. In the caucus, each business area is discussed and the CR Team agrees on ‘Yes’ and ‘No’ items and the overall evaluation. The CR Team looks for problems that may prevent certification or a different certification date from the date that the State claims as the operational date. Generally, problems that prevent certification are those that violate SMM or other Federal requirements, with no alternative means of satisfaction in the system.

At the end of the review, the CR Team will decide if they should recommend that the MMIS be certified and the effective date of the certification. If there are problems that, in the CR Team’s judgment, prevent certification as requested by the State, DSS management must be informed before any other action is taken. Follow-up will be as directed by DSS management. CMS will work with the State to resolve any issues that prevent certification.

Product: Recommendation to certify or not certify the State MMIS as of a given effective date.

Step 15: Certification Review Final Report The results of the certification are documented in a report outlining the areas assessed, the data reviewed, and the results of the evaluation. For each business area, the report lists the Review process, sources and documents examined and Findings. The final report may also list Comments, Corrective Actions, and Recommendations for each business area reviewed. The report, which includes the recommendation to approve, conditionally approve, disapprove, or approve the MMIS on a date later than that requested, are sent to the Director, DSS for review. Template 3 at the end of this chapter provides instructions for completing the Certification Final report and a suggested format.

Product: CMS Certification Review Final Report.

Step 16: Preparation of Response to the State After approval by the Director, DSS, the Team lead writes a memorandum (memo) to be signed by the Director, DSS, to convey the report and the certification recommendation to the Deputy






3-24 September 28, 2007

Regional Administrator (RA) for the area in which the State is located. The memo requests the Deputy RA to convey the CMS decision to the State along with the final report. Template 4 at the end of this chapter provides guidance for this memo.

If the CMS decision is to disapprove the request to certify the system or to approve it on a later effective date than the date requested, the notice memo is to include:

� The findings upon which the determination was made � The procedures for appeal of the determination (in the context of a reconsideration of the

resulting disallowance) in the event the full FFP rate is claimed, to the Departmental Appeals Board

Product: Memo to Deputy Regional Administrator showing certification decision and attaching the final report.

Step 17: Conclusion of the Process Once the decision has been communicated to the State, the major work of the CR Team is finished. The final step is to complete the DSS national profile of MMIS systems and to gather all of the records and file them in DSS designated areas. Both electronic and paper records are to be filed. When this activity is complete, the Team lead communicates to the Director, DSS, that the CR Team’s tasks are completed. The Director, DSS, will disband the CR Team.

Product: Files of records of the process; CR Team disbanded.

Protocol Templates

The following templates are for guidance in producing the documents described in the protocols:

1. State Request for Certification Letter 2. CMS Reply to State Request Letter 3. CMS Certification Review Final Report 4. CMS Certification Disposition Memo






3-25 September 28, 2007

Template 1 – State Request for Certification Letter [State Letterhead] Director Center for Medicaid and State Operations 7500 Security Boulevard Baltimore, MD 21244 [Letter Date] Attention: [Name of Director], Director, Division of State Systems Dear Director: The [State/Commonwealth or District] of [State Name] intends to claim Federal financial participation (FFP) at the 75-percent matching rate for operations of the MMIS commencing [Date]. In accordance, we hereby provide assurance that:

1. The MMIS meets the requirements of 42 CFR 433.117 for all periods for which the 75-percentFFP is being claimed.

2. Explanation of Benefits (EOBs) are being issued on a regular basis for all periods for which 75-percentFFP is being claimed, in accordance with the provisions of Section 10 of P.L. 95-142, which amends section 1903(a)(3) of the Social Security Act.

3. The MMIS has been assessed by the State, using the checklists in the Medicaid Enterprise Certification Toolkit, and is ready for CMS evaluation.

4. The MMIS adjudicates claims and information required for payment of services in accordance with all provisions of 42 CFR 447 and the approved State Medicaid Plan

5. The MMIS generates up-to-date and current MSIS (Medicaid Statistical Information System) data tapes in accordance with the Tape Delivery Schedules contained in CMS’ MSIS (Tape Specifications and Data Dictionary. (Balanced Budget Act of 1997 [Public Law 105-33, section 4753])

6. The State exercises appropriate privacy and security controls over the system in accordance with 45 CFR 95.261, P.L. 104-191, the Health Insurance Portability and Accountability Act (HIPAA) of 1996, and 1902(a)(7) of the Social Security Act as further interpreted in regulations at 42 CFR 431.300 to 307.






3-26 September 28, 2007

The [State/Commonwealth or District] of [State Name] officially accepted the Medicaid Management Information System (MMIS) as fully operational on [Date accepted]. Enclosed is a copy of the approval letter addressed to the system developer [Company Name or State development team]. Also attached is a copy of the checklists from the Medicaid Enterprise Certification Toolkit, completed as specified in the Toolkit’s State Certification Readiness Protocol. These checklists demonstrate that the MMIS is ready for the certification review. The State contact person for matters involved in scheduling and competing the certification review is [State contact person’s name], who can be reached at [telephone number] or by electronic mail at [email address]. Sincerely, [Signature of State Medicaid Director or Comparable Official] [Typed name of State Official] [Title of State Official] CC: [State cc list] [RO list]






3-27 September 28, 2007

Template 2 – CMS Reply to State Request Letter Department of Health & Human Services Centers for Medicare & Medicaid Services Center for Medicaid and State Operations 7500 Security Boulevard Baltimore, MD 21244 [Letter Date] Dear [State review requester]: This confirms our receipt of the [State/Commonwealth or District]’s request of [Request letter date], for a certification review of the [State name] Medicaid Management Information System (MMIS). This review is currently scheduled for the week of [Dates]. As you know, the purpose of the onsite visit is threefold:

1. To determine if the [State name] MMIS meets the requirements of Part 11 of the State Medicaid Manual as annotated with current law, regulations, and policy;

2. To verify that the system contains the Medicaid Enterprise support capabilities described in the approved APD and RFP; and

3. To determine that all of the above requirements have been met for any and all periods for which the State may claim 75-percent FFP.

In order to qualify for retroactive approval, the State must produce documentation showing evidence of the operational status of the MMIS since the operational date claimed of [Claimed operational date]. As such, the documentation presented must demonstrate that the MMIS has been fully operational and has been supporting all of the planned Medicaid business functions from this date forward. The onsite visit will last five (5) days, starting with an entrance conference at [Agenda time] on Monday, [Start date] and ending with an exit conference at [Agenda time] on Friday, [End date]. The entrance conference will consist of introductions and a review of the agenda for the week. The entrance conference should be followed by a tour of the operational system's local facilities, if any. At the conclusion of the tour, the certification review Team (CR Team) will separate to perform a detailed review of their respective Medicaid business areas.






3-28 September 28, 2007

The State should provide separate work areas for each of the CR Team members and a detailed introduction for the MMIS support for the Medicaid business area for which the CR Team member is responsible, as listed below:

Team Leader [Business area list] plus Contract Management [Name] [Business area list] [Name] [Business area list] [Name] [Business area list] [Name] [Business area list]

In order to prepare for a successful onsite visit, the CR Team must become familiar with the new MMIS. Specific information needed by the CR Team prior to the review are shown on the enclosed Certification Data Needs list. Any questions about this information will be discussed with State staff members during the pre-certification call/meeting] on [Date] with the CMS CR Team and supporting staff. It should be emphasized that the review is designed to gather and verify facts related to the operation of the [State name] MMIS. While the general findings of the CR Team will be presented at the exit conference, no decision regarding certification will be rendered at that time. If members of your staff have questions please have them contact [Team lead] at [Team lead telephone number] or [Team lead email address]. Sincerely, [Name], Director Division of State Systems cc: Regional Administrator, [Name of region that includes State] Enc: List of Certification Data Needs






3-29 September 28, 2007

CERTIFICATION DATA NEEDS

[Provide list of data needed. The example list below is from Step 3 of the Preparation Phase of the CMS Certification Review Protocol.]

� The date the system was officially accepted by the State as fully operational � The time period of system operations to be claimed at 75-percentFFP � An enterprise system diagram, including all components of the MMIS, identifying overall

logic flow, data flow, systems functions, and their associated data storage � A full and complete set of system documentation (hard copy available onsite) � A network schematic showing all network components and technical security controls � A narrative description of each identified MMIS component including basic functions

and the business area supported � A list of all error codes and explanations by MMIS component � A record layout of each data store with data element definitions � A list of information retrieval functions and reports for each business area (including a

list that identifies the distribution of the reports and who can access the information retrieval displays)

� A substantive and representative set of all reports and information retrieval screens (electronic format preferred)

� Evidence that Medicaid Statistical Information System (MSIS) data requirements have been met for timeliness and data quality

� A statement that the system meets Health Insurance Portability and Accountability Act (HIPAA) requirements for transactions and code sets, privacy and security, and when required, National Provider Identifier. This statement is in addition to the completion of all the HIPAA-related checklist criteria.

� A system acceptance test plan and results � Evidence that a security risk assessment of the new system has been conducted by

qualified personnel to identify security vulnerabilities and that the State has implemented security controls commensurate with these risks and vulnerabilities

The State should also share any other data it feels is necessary to complete the certification review.

The State must provide the data in a mutually agreed upon electronic format or hard format or both at the certification review Team reviewer preference. The State must also provide a copy of the APD, RFP, vendor response to the RFP, contract and system design, and implementation and operations documentation in the same format.






3-30 September 28, 2007

Template 3 – Certification Review Final Report

State Medicaid Management Information System Certification Review Final Report

For [Name of State]

[Start of Visit Date – End of Visit Date] The Certification Review Team examined each of the Medicaid Enterprise business areas, using the following resources: previously provided documentation, State and system responses to the review protocol checklists, system processing reports, specified recurring and ad-hoc reports, online files, interviews with State and fiscal agent staff, and the State follow-up Corrective Action Plans (CAP), if required. The areas examined and the results of the examinations are covered below. Beneficiary Management Business Area Beneficiary Management Checklist Review Process: This section is required. Provide a one or two paragraph description of the business area included in this Business Area, the process that was used to review the business area, the data examined, the ability of the MMIS to support the State in meeting the business objectives, and mention any findings that require a CAP.

Example: We reviewed the MMIS support for Beneficiary Management. The MMIS should ensure efficient and timely maintenance of the beneficiary data, ensure the beneficiary data supports provider inquiry and billing, provide effective update processes, comply with HIPAA requirements, and have flexibility to adapt to program change. We examined the user documentation, the execution dates for the daily and monthly updates, and the activity reports that are produced. The MMIS provides all the required basic functions (i.e., client identification, updating procedures, maintenance controls, distribution of data, client names, social security numbers, eligibility data, Medicare information, etc.). There was one finding that requires State action as discussed below.

Comments: This section is optional. Use this section to document observations found during the review that are noteworthy. It could be something that was positive or something that was not a “show stopper,” but was worth mentioning (maybe leading to a recommendation).






3-31 September 28, 2007

Example: The State has highly efficient automated support for Beneficiary Management. Exception reports are clear and usable and routed to the proper work station by e-mail. We also noted that the data on the reports reflected changes/updated information, and that the documentation was current, notable, and comprehensive.

Findings: This section is required. It describes what was found during the review. If everything has the required functionality or meets the requirements, then state that the business area meets the requirements. If something needs to be corrected before certifying the system, it should be discussed in this section and the Corrective Action section below. Not all findings require CAPs.

Example: There were a high number of error exceptions on the eligibility file coming from the Medicaid Eligibility Determination System that affect Medicaid beneficiary access to care and result in an excessive amount of erroneously denied provider claims

Corrective Action: This section is required if corrective actions are identified. Describe the finding(s) that require a CAP. If the discrepancy has been addressed in a Corrective Action Plan, so state. If there are no corrective actions state “None.”

Example: The State must review the Eligibility file system criteria to determine how to eliminate errors before the data is matched to the provider data file. The State addressed this issue in the [Date} Corrective Action Plan

Recommendations: This section is optional. This section is used to make suggestions that will improve the operation of the Medicaid program or the MMIS. The State can ignore these recommendations; however, many times a recommendation has provided the impetus for the State to move in a direction it was already considering or consider a direction it previously had not considered. If there are no recommendations, state “None”

Example: While no breach of HIPAA security or privacy rules was found, the use of internal e-mail for transmission of sensitive information may constitute a risk; frequent analysis of the security should be done, and all security incidents must be resolved.






3-32 September 28, 2007

Provider Management Business Area Provider Management Checklist Review Process: This section is required Provide a one or two paragraph description of the this Business Area, the process that was used to review the business area, the data examined, the ability of the MMIS to support the State in meeting the business objectives, and mention any findings that require a CAP.

Example: We have reviewed the MMIS support for Provider Management. This support should enable the State Medicaid program to enroll an adequate provider population, ensure proper provider credentials have been verified and are on record, and provide efficient and timely maintenance of provider data, including links between providers and other related entities. The MMIS support should provide fast and efficient service for provider inquiries, comply with HIPAA requirements including those associated with the NPI, and demonstrate flexibility in adapting to program change. We examined the user documentation, the support for provider enrollment, maintenance of provider data, and provider participation summaries for the State’s institutional, fee for service, pharmacy, laboratory, and other program providers. All the basic support functions were reviewed using reports, direct examination of provider data, transaction tracking, and actual hands-on use of simulated functions. There were no findings that requiring State actions.

Comments: This section is optional Use this section to document observations found during the review that are noteworthy. It could be something that was positive or something that was not a “show stopper” but was worth mentioning (maybe leading to a recommendation).

Findings: This section is required. It describes what was found during the review. If everything has the required functionality or meets the requirements, then state that the business area meets the requirements. If something needs to be corrected before certifying the system, it should be discussed in this section and the Corrective Action section below. Not all findings require CAPs. Corrective Action: This section is required if corrective actions are identified Describe the finding(s) that require a CAP. If the discrepancy has been addressed in a Corrective Action Plan, so state. If there are no corrective actions state “None.” Recommendations: This section is optional.






3-33 September 28, 2007

This section is used to make suggestions that will improve the operation of the Medicaid program or the MMIS. The State can ignore these recommendations; however, many times a recommendation has provided the impetus for the State to move in a direction it was already considering or consider a direction it previously had not considered. If there are no recommendations, state “None.”

Operations Management Business Area Reference Data Management Checklist Note to preparer: Continue annotating information as shown above for all Business Areas/Checklists reviewed in the order set out below: Operations Management Business Area Reference Data Management Checklist Review Process

Comments Findings Corrective Action Recommendations

Claims Receipt Checklist Claims Adjudication Checklist Pharmacy Point of Sale Third Party Liability Program Management Business Area Decision Support System / Data Warehouse Checklist Program Management Checklist Financial Management Checklist Federal Reporting Checklist Security and Privacy Checklist Program Integrity Management Business Area Program Integrity Checklist Care Management Business Area Managed Care Enrollment Checklist Managed Care Organization Interfaces Checklist Managed Care PIHP and PAHP Checklist PCCM and Gatekeeper Managed Care Checklist HCBS (Home and Community Based Services) Waivers Checklist Immunization Registry – Owned Checklist Immunization Registry – Interfaced Checklist






3-34 September 28, 2007

Template 4 – Certification Disposition Letter Department of Health & Human Services Centers for Medicare & Medicaid Services Center for Medicaid and State Operations 7500 Security Boulevard Baltimore, MD 21244

Memorandum Date: [Date] From: Director Division of State Systems

Center for Medicaid and State Operations Subject: [State] Medicaid Management Information System (MMIS) Certification Report –

ACTION TO: [RA Name]

Deputy Regional Administrator, [Office location] Regional Office ISSUE The [State/Commonwealth or District] of [State Name] requested approval of 75-percent Federal financial participation (FFP) for the operation of its replacement MMIS retroactive to [Request date]. BACKGROUND This system replaces the [State/Commonwealth or District] of [State Name] ’s previous MMIS. In response to the State's request for certification, system documentation and other relevant materials on file were reviewed by Central Office (CO) and the [Office location] Regional Office (RO) staff members as part of the onsite visit. In addition, a pre-certification conference [call/meeting] was held on [Date], to discuss preparations for the review and answer any State questions regarding review criteria. The onsite visit was conducted [Dates]. The CO/RO staff that performed the onsite reviews of the business areas are listed below:

Team Leader [List Business areas] plus Contract Management

[Name] [Business areas] [Name] [Business areas]






3-35 September 28, 2007

[Name] [Business areas] [Name] [Business areas]

The criteria used as a basis for the onsite visit and subsequent evaluation were:

� 42 CFR 433.117 � Part 11 of the State Medicaid Manual (SMM) as augmented by current legislation and

policies and HIPAA regulations and policies � The approved State Medical Assistance Plan � The Medicaid Enterprise Certification Toolkit � The State’s APD and RFP related to the MMIS procurement

SUMMARY FINDINGS Detailed discussion of these business areas, as well as the other review areas, is contained in the Attachment to this memorandum. All findings and recommendations were thoroughly discussed with State staff on [Date]. During the review, [If no findings, state “no findings”. If findings, list business areas where discovered and include text as follows: CMS requested Corrective Action Plans for each finding. On [Date], the State provided Corrective Action Plans, which adequately addressed the findings.] In addition, the Attachment may contain recommendations, which are intended to assist the State in taking additional steps to improve the operating efficiencies of its MMIS. Although we think such recommendations would improve the operation of the MMIS, the State is not obligated to implement the recommendations. DECISION Based upon our review of all the documentation provided by the State and our findings during our onsite visit, and the State follow-up Corrective Action Plans, the [State name] MMIS meets the certification requirements specified in the above listed criteria. The State may claim FFP at the 75-percent rate of reimbursement for the operational cost of its MMIS from the effective date of [Request date]. FOLLOW-UP ACTIONS Please provide CMSO with a copy of your letter to the State. In your letter to the State, please express our sincere appreciation to the [State name] Medicaid staff including the [Contractor Name] fiscal agent personnel, for their cooperation and hospitality extended to the certification review Team. In addition, please express our appreciation to [RO certification review Team member name] of your Regional Office and [Other RO certification review Team member name]






3-36 September 28, 2007

of the [Other RO office location] for their invaluable assistance during this review. Their participation enabled the review to be accomplished in a timely and efficient manner. Sincerely, [Name of Director, DSS] Attachment: Certification Review Final Report cc: Associate Regional Administrator, Division of Medicaid and State Operations,

[RO office location] Regional Office

Documents

CHAPTER 3: PROTOCOLS - CMSChapter 3: Protocols Introduction A protocol is a step-by-step instruction for performing a specific process. In the Medicaid Enterprise Certification Toolkit